Snort mailing list archives
Snort Newbie
From: jzorzi () marketlinksolutions com
Date: Thu, 3 Mar 2005 14:44:18 -0500
Thanx for your response, I have another question now. How is it possible that snort is monitoring communication between 2 machines that are on a different subnet then the snort machine. The machine running snort is on the 192.168.255.0/24 network but in the log analysis I see these entries attacks from to method ========================================================================= 47 192.168.0.97 192.168.0.103 SNMP request udp {UDP} 44 192.168.0.97 192.168.0.103 SNMP public access udp {UDP} 44 192.168.0.97 192.168.0.104 SNMP public access udp {UDP} 44 192.168.0.97 192.168.0.104 SNMP request udp {UDP} My HOME_NET is setup as follows var HOME_NET [192.168.255.0/24,192.168.0.0/24,192.168.3.0/24,192.168.4.0/24] The EXTERNAL_NET was setup as follows (until I received your email) var EXTERNAL_NET any Now due to significant changes being applied to the network structure all the machines are not physically separated via cables and switches but the ips still need to go through the routers in place. What I mean is that the physical network structure is setup to be one complete entity with no vlans, no physical wire separation. During this period of change though the ip subnets still exist. Which means that there are routers in place to route the ip traffic appropriately. The switches aren't configured with any vlans, no monitoring ports and stp(Spanning Tree Protocol) is turned on for all switches except for the switch that the snort server resides on. The switches are cisco catalyst switches. The program used to generate the result set was "snort_stat" retrieved from the snort.org website. Give this information how is the above result set possible? Does snort proactively monitor all communication on the network, meaning does snort monitor traffic that isn't destined for the machine it runs on? Thanx in advance for your help. I'm a snort newbie and just trying to figure out how to configure and understand how snort works. Jay Zorzi Systems Administrator, Information Technology MarketLink Solutions see further. achieve more. e - jzorzi () marketlinksolutions com t - 416.260.2800 x299 f - 416.260.2893 ------------------------------------------------------- SF email is sponsored by - The IT Product Guide Read honest & candid reviews on hundreds of IT Products from real users. Discover which products truly live up to the hype. Start reading now. http://ads.osdn.com/?ad_id=6595&alloc_id=14396&op=click _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- SNORT Newbie joel (Feb 13)
- RE: SNORT Newbie Adam Kliarsky (Feb 13)
- RE: SNORT Newbie Joel Rushworth (Feb 21)
- <Possible follow-ups>
- FW: SNORT Newbie joel (Feb 13)
- RE: SNORT Newbie Adam Kliarsky (Feb 13)
- RE: SNORT Newbie Western Canada CORSA (Feb 21)
- SNORT Newbie Western Canada CORSA (Feb 21)
- FW: SNORT Newbie Joel Rushworth (Feb 21)
- SNORT Newbie Joel Rushworth (Feb 21)
- Snort Newbie jzorzi (Mar 04)
- RE: SNORT Newbie Adam Kliarsky (Feb 13)